Guest Post: GCP CloudQuarry: Searching for Secrets in Public GCP Images
This guest post by Eduard Agavriloae and Matei Josephs, two expert cloud security researchers, was developed through Truffle Security’s Research CFP program. We first connected with Eduard and Matei after their well-received DEF CON 32 talk, AWS CloudQuarry: Digging for secrets in public AMIs, where they used TruffleHog to identify hundreds of live secrets in public AWS Images. In this follow-up, they expand their research to Google Cloud Platform (GCP).
TL;DR We scanned 8,400+ public GCP images and did not find a single exposed secret! That’s a dramatic reversal compared to the hundreds we found in AWS AMIs and dozens in Azure Public images. GCP’s curated, tightly- controlled image marketplace has seemingly eliminated secret exposure in its cloud images.
At DEF CON 32 last year, we presented our findings that public Amazon Machine Images (AMIs) leak hundreds of valid secrets. These images provide the software required to set up and boot an Amazon EC2 instance.
